Rewterz Threat Alert – Threat Actor Commits Investment Scam Using New DNS Hijacking Technique – Active IOCs

Severity

High

Analysis Summary

A new threat actor named Savvy Seahorse is utilizing sophisticated techniques to employ fake investment platforms and lure victims into depositing funds which are then transferred to a bank in Russia, underscoring the evolving landscape of cyber threats, particularly in the realm of financial scams.

The targets of these campaigns span various countries, specifically targeting English, Spanish, French, Turkish, Czech, German, Italian, Polish, and Russian users, indicating a widespread and indiscriminate approach to victim selection. Moreover, the threat actors leverage social media platforms like Facebook to distribute advertisements and entice users with promises of high-return investment opportunities through fake ChatGPT and WhatsApp bots.

Security researchers observed a notable aspect of Savvy Seahorse’s tactics is the use of DNS canonical name (CNAME) records to create a traffic distribution system (TDS), allowing them to evade detection since at least August 2021. By registering short-lived subdomains that share a CNAME record, the threat actors create a dynamic and resilient infrastructure that makes it challenging for authorities and cybersecurity teams to disrupt their operations. This technique, combined with the ever-changing nature of domains and IP addresses, enhances the resilience of their infrastructure against takedown efforts.

Furthermore, Savvy Seahorse’s validation of user information to exclude traffic from specific countries adds another layer of sophistication to their operations. The reasoning behind the selection of these specific countries remains unclear, but it demonstrates the threat actor’s strategic approach to targeting and filtering potential victims.

The discovery of Savvy Seahorse marks the first time CNAME records have been utilized for such malicious purposes, highlighting the continuous evolution and innovation among cybercriminals. This development underscores the importance of vigilance and proactive cybersecurity measures to combat emerging threats effectively. Additionally, it serves as a reminder of the importance of user education and awareness to mitigate the risks associated with phishing and financial scams.

Amidst these developments, the revelation of thousands of domains being hijacked using CNAME takeover to propagate spam campaigns by researchers further underscores the significance of DNS security. This technique represents yet another avenue through which threat actors exploit vulnerabilities in DNS configurations to carry out malicious activities.

Impact

• Exposure to Sensitive Data
• Financial Loss

Indicators of Compromise

Domain Name

• land-nutra.b36cname.site
• new.xsdelx.top
• sej.progmedisd.site
• adin.czproftes.xyz
• visa.lukzev.xyz
• sun.autotrdes.top
• news.beneffit.top
• goiin.baltez-offic.xyz
• ultra-vest.one
• kingsman-adv.org
• abyss-world-asset.net
• makeyourpay.com
• auproject.xyz
• badanie-pl.site
• blog-vcnews.site
• capital-inwest.site

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Always be suspicious about emails sent by unknown senders.
• Never click on the links/attachments sent by unknown senders.
• Implement ongoing phishing awareness training for partners and staff.
• Implement a web application firewall to filter out malicious traffic and protect against common web-based threats. 
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Be vigilant and thoroughly check the URL to see if it’s legitimate before taking any action.